Hey guys n gurls, I was wondering if it is smart to disable my VPN connection for casual browsing.
Reasons: when having VPN constantly running it may be possible to track me via browser fingerprinting.
Szenario: the connection coming from the VPN which hypothetically downloaded a torrent, tries to watch capitalist propaganda while living in China, etc.pp has this screen ratio, this locale, this addons etc. And (more important) the YouTube login cookie we know belongs to this physical person/telephone number etc.
So I am wondering if I should only use the VPN when “needing” it (read articles not available in country, Netflix, read information government doesn’t like, things like that.) Or if I’m missing something here and I could obscure my causal day to day browsing as well without decreasing the security of the VPN.
For reference, the VPN doesn’t log anything (for more than a day) to my knowledge
EDIT: From what I understand from the comments: switching the VPN has little to no impact on widely used tracking and if at all makes it easier to corelate data. People emphasize the general lack of full privacy if you are wanted by entities willing to spend enough resources. But for the general need of privacy in normal usecases it makes more sense to just leave the VPN running.
tldr; no, if you trust your vpn more than your ISP always use it, as any hit to fingerprinting is menial.
it really can’t hurt much to always be using it. any fingerprinting metric it would give is outweighed by the hiding of your IP behind the proxy. this is the #1 unique identifier that is tied back to people/locations.
the other fingerprinting metrics also are still exposed anyway & could probably be linked back to “you” regardless of your IP changing if they wanted too.
if you are worried about fingerprinting look into some projects like mullvad, librewolf, or even tor. clearing cookies on quit &/or having a separate browser for permenant logins/tokens to live in is also a good mitigation technique.
Thanks for the detailed response. I’m sure my IP is most relevant in tracking me, but if I’m tracked while visiting Lemmy/YouTube it would do no harm, while correlating my YouTube activity with my e.g. me reading websites the government doesn’t like would do harm.
I use mullvad, and previously read using tor through a VPN doesn’t really make sense. I have Firefox set to not save cookies, but I have made an exception for YouTube as it is to troublesome to log in with 2fa all the time.
My thought was that it may be easier to match up the fingerprint of @somelemmyuser accessing lemmy with the fingerprint of @somelemmyuser downloading capitalist propaganda while living in China if they come from the same VPN in a similar timeframe, while it would be harder to match the fingerprint of @somelemmyuser acsessing Lemmy from an normal ISP to the fingerprint of @somelemmyuser accsessing capitalist propaganda from a VPN, as you would need both datasets to find matches.
And since me accessing Lemmy is not a problem but my lemmy account could be tracked back to me as a physical person, it could be smart to not do it with the same VPN.
ahhh I see what you mean.
your thoughts on spacing out your connections & isolating is smart. unfortunately if you connect from the same device & browser any government agency or dedicated company with a big enough dataset (google, meta, etc.) would still be able to link you regardless of you IP by browser fingerprint alone. this does make YouTube more specifically being linked to your exact browser fingerprint porblamatic in a high stakes situation. As it, as you said is linked to your identity.
for lower level tracking changing IP regularly is effective. however, instead of switching to your local IP it would be more privacy conscious to just switch to a different VPN server.
unfortunately if you are genuinely worried about government level surveillance or the likes u enter into territory where VPNs often no longer cut it (or at least can’t truly be trusted too) as they are centralized & can be forced to make exceptions for law enforcement. traffic analysis is also easier, which makes time correlation deanonimization a more realistic risk when talking about government agencies specifically.
the tor + vpn debate is one that lots of people argue & is excedingly complicated. tor is generally more than enough, unless you are wanted by INTERPOL haha. if you are genuinely worried about suppressive government or world powers targeting you look further into tor, & do not connect directly to your ISP at all as that data is essentially up for grabs to local authorities (depending on locale).
for you specifically I would consider doing your more sensitive tasks in the tor browser without the VPN & then having your normal browser always on the VPN so they would be more difficult to correlate. anything torrent related is low enough stakes that I would imagine just about any proxy would suffice. hope this was helpful 🙏.
It was, that was the kind of information I needed, as it helps to differentiate what kind/level of privacy I have and what kind/level of privacy different actors can circumvent etc.
As I am mostly looking at not generating useful data for shitcompanies like amazon, google, Microsoft etc. The always onvpn and no cookies except YouTube should be more than sufficient. If my country decides that my political opinion is no longer permitted I should nevertheless be using Tor and check if I’m unique (fingerprint wise).
Never disable it. Actually, setup a firewall so no apps have internet access in-case the VPN is down.
deleted by creator
Problem: you csn’t use split tunneling with this solution, so if you want to connect to your local devices at home, that won’t work.
deleted by creator
Timing attacks are a thing and behavior can be correlated by metadata and situational considerations, e.g. Bob only uses his VPN at night, and only for 21 minutes on average. Jane uses her VPN from roughly 830am to 515pm M-F. What do those patterns mean?
But so long as it works and the costs are low, use the VPN constantly. And always check for leaks.
Any suggestions about checking leaks etc? I have done this one check, but I’m not that deep in the matter to know if its enough.
So you say to keep it running - any (technical) reasoning or just that you think my YouTube connection exiting the vpn and the connection to the website the government doesn’t like exiting the VPN can not be correlated that easy?
If you use it for everything, when you use it ceases to be useful information for data gatherers.
It’s why companies have data retention policies. That way they can’t be accused of intentionally destroying data to hide things, because they destroy ALL data like that.
I would just leave it running all the time as it does give a privacy boost by masking ur approximate location and not letting your ISP spy on you. If you are going to do things like torrenting or visiting websites the government won’t like, at LEAST use a different browser that is hardened (let’s say you use basic firefox for regular browsing, use Mullvad browser or something instead for that specific task), or just straight up use TOR if what you are trying to do won’t require that fast of internet speeds. If you are solely worried about the VPN IP address, you can just switch to a different server to a different country.
that’s not how it works.
your vpn doesn’t do anything to mitigate broswer fingerprinting. websites use browser fingerprinting to identify a unique browser no matter the ip its connecting from. when i connect through mullvad’s french server, it identifies my browser just like when i connect through any other server.
most of the time those sites even clock that i’m connecting through a vpn.
a computer that is connected to some vpn and downloads a torrent while also visiting a website that fingerprints their browser will not have the two conflated unless the attacker can match traffic coming out of the vpn and traffic going into the computer.
that information wouldn’t be useful to an attacker unless they also had access to the website that fingerprinted the browser and were part of the torrent swarm so they could actually say yes, browser 12345 and user 34567 downloading The_Mummy_CrAcK_DeNuVo.mp4 are the same person and they were at this ip that corresponds to this router at this physical location and when we confiscate their computer we can verify their browser has the fingerprint, open and shut case, book em’ dano.
if you disconnect from your vpn intermittently it actually makes those checks easier because then the attacker can say “look, browser 12345 is coming from both the french mullvad node and from this little coffee shop in taipei! get em!”
a single vpn proxy can’t protect you from a hypothetical hostile whole ass internet.
Thanks, that makes sense.
not sure if relevant, but you can use this for info
It won’t make any difference. It actually could potentially make you more fingerprintable, since your IP adress is no longer shared with many other people depending on the VPN you’re using, etc.
At the end of the day, VPNs are not necessary to be not tracked, since your IP adress changes regulary, but it can be helpful in some scenario’s and it’s not harmful either, aslong your provider is not a bad actor.
Personally I’d rather my ISP see more of my internet activity as I think they are less likely to be interested in using/selling as much of my data (or be compromised in some way) as a VPN company. But I could be wrong.
Shortly after the net neutrality rules where first revoked mine sent a message asking me to opt out of gathering data for sale, so defiantly not always the case. Not trusting some checkbox to prevent them from doing so in the future got everything that can be put through tunnels since.
Ah that’s too bad, guess I can’t really blame you then.
since your IP adress changes regulary,
I’m missing where you are getting this information…?
In the US pretty much all our ISPs use dynamic IPs by default and charge extra for static IPs. The lease time on the dynamic IP varies dramatically from ISP to ISP.
So they made a completely random assumption?
aaaa
Oh okay, never heard of this since it’s very unsual to give static IPs to people, especially since IPv4 adresses are very limited in their amount.
A favored test by the AirVPN people. Gives a decent picture of your print. Thing is, they can pick all the scree resolutions and browser types they like, but it only does good with a location
Use safing SPN with their portmaster app, then you can set it on/off per app, or even per url.